Security Incidents mailing list archives

Re: "closed-port" backdoors

From: Joe Boyle <jboyle () PRIMARYKNOWLEDGE COM>
Date: Thu, 22 Mar 2001 13:11:35 -0500

In phrack magazine (issue 52), there is an article describing some techniques
to weaken linux using LKMs, including complete source.  One of the features of
the module is to overload the socket system call so that whenever a packet is
received using recvfrom(), the size of the packet is inspected.  if it matches
a magic size, a command is executed locally.

so, it isnt exactly what you asked for but I believe it could be readily
modified to do what you described.

http://phrack.infonexus.com/search.phtml?view&article=p52-18

joe

On Wed, 21 Mar 2001, Andreas Hasenack wrote:

Has somebody seen in the wild a type of backdoor where
no ports are open until a specifig set of packets are sent
to the machine?
For example, the backdoor would only bind to port X if
the machine receives SYN packets to three other ports in
sequence. I've seen code to do this (and sorry if it's not
new), but I haven't seen rootkits using it.

Current thread:

"closed-port" backdoors Andreas Hasenack (Mar 21)
- Virus sig? John R. Sciandra (Mar 22)
- Re: "closed-port" backdoors Alexander Reelsen (Mar 22)
- Re: "closed-port" backdoors Fernando Cardoso (Mar 22)
- Re: "closed-port" backdoors Valdis Kletnieks (Mar 22)
  - Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors Joe Boyle (Mar 22)
- <Possible follow-ups>
- Re: "closed-port" backdoors Frank Knobbe (Mar 22)
  - Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors M ixter (Mar 23)